1

Can anyone see what is wrong with this shorthand in relation to the problem below?

echo "<td><font size=1 color=#e4d6b5>" . ($row['tier']<$_SESSIONS['tier'] ? "ACCESS DENIED" : $row['contents']) . "</font></td>";

I have two tables in my database:

1.) members (id,username,email,password,salt,tier) <-tier is the user's security clearance level.

2.) opwire (category,contents,date,userid,seclevel) <-opwire stores user submitted data, userid is just a number that references the user who just submitted data to opwire. Seclevel is how high of a security clearance level (tier) a user needs to see that particular line of submitted data.

I'm attempting to get the currently logged in user to be granted or restricted access to 'contents' based on their security tier (referencing member's tier vs opwire's seclevel.) I'm also not entirely confident I'm using http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL

and I usually get the current user with: 

$userId = $_SESSION['user_id'];

The entire table building php is below. Currently users with any tier can incorrectly view any seclevel contents when their tier should be restricting it.

<?php 

include_once 'functions.php';
include_once 'db_connect.php';
sec_session_start();

if(login_check($mysqli) == true) {

$con=mysqli_connect("localhost","mylogin","mypassword","mysqldatabase");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }


function getColor($strOption)
{
   switch ($strOption)
   {
       case "Case 1":
       return "#cbae80";

       case "Case 2":
       return "#e59350";

       case "Case 3":
       return "#b7aaa4";

    }
}


$result = mysqli_query($con,"SELECT opwire.*,members.username FROM opwire 
          LEFT JOIN members on opwire.userid=members.id order by date DESC");

echo "<table border='1'>
<tr>
<th>Category</th>
<th>Contents</th>
<th>Date/Time</th>
<th>Operative</th>
</tr>";

while($row = mysqli_fetch_array($result))
 {
 echo "<tr>";
 echo "<td><font size=1 color='".getColor($row['category'])."'> " . $row['category'] . "</font></td>";
 echo "<td><font size=1 color=#e4d6b5>" . ($row['tier']<$_SESSIONS['tier'] ? "ACCESS DENIED" : $row['contents']) . "</font></td>";
 echo "<td><font size=1 color=silver>" . $row['date'] . "</font></td>";
 echo "<td><font size=1 color=gold>" . $row['username'] . "</font></td>";
 echo "</tr>";
 }
echo "</table>";

mysqli_close($con);

} else {
   echo 'Access to this area requires security clearance. <br/>';
}

?>
sylcat
  • 151
  • 1
  • 3
  • 18
  • So what exactly isn't working? What's the first issue to manifest itself? A cursory looks shows a whole ton of stuff wrong here, so start with one issue at a time. – patricksweeney Nov 08 '13 at 03:35
  • ($row['tier']<$_SESSIONS['tier']. What is it <$ ? I think, this is problem. – 502_Geek Nov 08 '13 at 03:36
  • When a user of say, tier 2 logs in, they see everything in the table having to do with 'contents.' They should be seeing only every contents row that is set to seclevel 2 or lower. – sylcat Nov 08 '13 at 03:40
  • I was using < as in less than for the shorthand if/else – sylcat Nov 08 '13 at 03:47

1 Answers1

1

I believe you would need to have "BREAK" at the end of each case, otherwise it will just fall all the way through to "#b7aaa4";

function getColor($strOption)
 {
  switch ($strOption)
  {
   case "Case 1":
   return "#cbae80";
   break;

   case "Case 2":
   return "#e59350";
   break;

   case "Case 3":
   return "#b7aaa4";
   break;
  }
}
Alfred
  • 41
  • 1
  • 3
  • It being a function , considering the `return`'s in each `case` part of the `switch` , `break`'s might be unnecessary . Once the `return` is encountered , the control comes out of the function before it reaches the `break` . – Uours Nov 08 '13 at 03:55